800-53 rev3 FINAL

NIST has released the final copy of SP 800-53 rev3 “Recommended Security Controls for Federal Information Systems and Organizations”. This document is the encyclopedia of security controls for federal agencies and this is the third revision since it was originally released in 2005.

The impact level baseline information bar that was removed in the Final Public Draft (FPD) has been returned, but the new table of impact and priority level information is still included. This compromise gives you a choice of how to access the information.

Several sections of text areas (not the Appendices) have been largely re-written, but it appears to be mostly wordsmithing and fine-tuning of meanings with no drastic changes. These areas include:

  • common controls
  • external environments
  • security control assurance
  • tailoring and supplementing the baseline

There are many small cosmetic changes in this final version from the previous draft. Most of the significant changes to this document were put in place in the draft versions before this final copy. They were discussed in previous posts and are summarized below.

800-53 rev3 FPD Final Public Draft

The FPD included many more changes to controls, control enhancements and Organizationally Defined Parameters (ODPs) on top of what had already been done in the IPD. (see below). The baseline allocation bar in each control was eliminated and replaced with a table that also included control implementation priorities.

800-53-rev3-ipd Initial Public Draft

  • re-designed security controls, control enhancements, ODPs and baseline assignments
  • new program management family of controls
  • more emphasis on common controls
  • mapping from NIST controls to ISO 27001

SEE ALSO: NIST Special Publications (800 series) – [nist.gov]

Comments are closed.